there is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).

the individuals have been made aware their data is being shared.

the minimum amount of personal data is shared.

the sharing is for the minimum time and it is clear what then happens to the data.

the sharing is done as securely as appropriate for the data involved.

the sharing is documented.

For some sorts of sharing, contracts or other agreements are required. Templates are published and/or available on request from the Information Compliance Office as described below.

Sharing outside the EEA: if the country has not been declared 'adequate' by the EU Commission, then the EU model clauses should normally be used (an alternative for US recipients is their registration under the EU-US Privacy Shield). Templates are published and/or available on request from the Information Compliance Office as described below.

The GDPR sets certain restrictions and conditions when the University shares personal data with third party organisations. This is to ensure that the personal data are protected adequately and handled properly by others.

Remember that these restrictions and conditions only apply where the sharing involves personal data – i.e. information about living identifiable individuals. So the sharing of thoroughly anonymised data is not subject to any restrictions.

The University quite rightly shares personal data about applicants, students, staff, alumni, research participants and others for multiple reasons with numerous third parties.

There is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).

The individuals whose personal data is involved have been told about the sharing, whether in the overarching privacy notices supplied to University applicants, students, staff and alumni, or in a more specific communication/notice.

Consideration has been given as to how to share the minimum amount of personal data necessary to achieve the purpose.

Consideration has been given as to the length of the sharing arrangement and what will happen at the end of it.

Consideration has been given as to how to share the personal data securely (e.g. by tracked/signed-for post or courier delivery, encrypted file transfer or password-controlled access rights).

Where the University shares personal data with a third party for joint purposes, the organisations are known as 'joint data controllers' (Article 26 of the GDPR). The sharing is usually long-term/ongoing.

In these circumstances, it is mandatory to:

Have a documented arrangement (not necessarily a contract) setting out respective roles and responsibilities with regard to data protection matters, including who individuals can contact if they want to complain or exercise any of their rights under the GDPR.

Be transparent, by making the essence of this arrangement available to the individuals whose data is shared, if not included in the privacy notice.

Examples of such data sharing at the University are:

The sharing of personal data between the University, Colleges and Cambridge in America, for example on CamSIS or alumni/development databases.

Research collaborations where both/multiple parties are equally responsible for the personal data.

Tools to assist with such sharing:

Sharing with the Colleges and Cambridge in America is covered by an all-encompassing data sharing protocol.

For research collaborations involving the joint control of personal data: the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses.

Where the University shares personal data with a third party for it to use for its own purposes, each organisation is a separate 'data controller'. The sharing might be one-off, long-term or ongoing. The third party might be closely 'related to' the University (such as a Trust, a Student Union or a student society) or wholly unrelated to the University (such as HMRC).

In the circumstances, there are no mandatory restrictions and conditions but it is advisable to do the following unless the sharing is required by law:

Use the template data sharing agreement so that all parties are clear about the nature of the arrangement.

Conduct and document due diligence checks to ensure that the arrangement has been carefully considered in line with the general points listed above.

Examples of such data sharing at the University are:

Sharing lists of students with local authorities to assist with students' exemption from Council Tax.

Sharing lists of staff or students with trade/student unions for union membership purposes.

Sharing information about those staff jointly employed by the University and an NHS Trust for employment administration.

Sharing information about applicants, students or staff with actual or potential funders/sponsors.

Sharing an existing research dataset with a third party organisation (e.g. another university) for them to carry out new research using the personal data. (This also works the other way round, whereby a University researcher might be the recipient of a dataset created by a third party organisation.)

CUDAR has a template agreement for sharing the personal data of alumni with individuals (e.g. volunteers).

When sharing personal data in a research context with a third party (which is not a collaborator): the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses. (Note that, although outside the scope of this guidance page, such agreements and contracts usually are required in a research context even where the sharing consists solely of anonymised data).

Where the University shares personal data it controls with a third party for it to carry out operations in relation to that data on behalf of the University, the third party is known as a 'data processor' (Article 28 of the GDPR). The sharing might be one-off or long-term or ongoing, and it applies primarily to situations where the University is outsourcing or offering a function involving personal data (whether storage or more active management) that it could have chosen to do for itself.

In these circumstances, it is mandatory to:

Have a binding contract that commits the data processor to certain standards, including with regard to security, the engagement of further 'sub-processors', helping the University to meet its GDPR obligations with regard to individual rights and accountability requirements, and cooperating with University audits and inspections. The ICO website outlines the full list of topics that must be included in the contract - the 'tools' listed below incorporate these. The list of topics is much more extensive than was required under the Data Protection Act 1998 (where the primary focus was on the data processor's security measures and its adherence to the data controller's instructions).

Examples of such data sharing at the University are:

Sharing lists of alumni with a mailing house to enable the despatch of an alumni magazine.

Using a cloud storage or other third party provider to store the personal data of staff, students or others.

Using a form hosted on a third party website to run a survey or collect information from staff, student or others.

Using a supplier to provide a service to staff, students or others that involves the supplier handling the contact or other details of those individual staff or students.

Using a third party company to perform specialist analysis on a University research dataset containing personal data in order to return the results of the analysis to the Principal Investigator.

If that is not possible, it may be that the contract terms (or terms of business) of the third party contain adequate clauses - advice should be sought from the Information Compliance Office or the Legal Services Office on a case-by-case basis (note too that the Procurement Services Office or UIS might have central arrangements in place with preferred suppliers). The standard terms and conditions of many major cloud-based IT suppliers (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management) already contain adequate clauses, but a formal list of University-approved/vetted services does not yet exist (though UIS has published some guidance on personal data storage options, including University-managed cloud services).

When using a third party data processor to handle personal data in a research context: the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses.

Because the GDPR applies across the EEA, there are additional restrictions and conditions when data sharing involves a transfer outside the EEA so as to ensure that the personal data are still covered by an 'adequate' level of protection after they have been transferred (Articles 44-50 of the GDPR). Remember that these requirements are in addition to the requirements listed above.

If the third party organisation is based in the USA and has signed up to the Privacy Shield initiative run by the US Government - before contracting and sharing personal data with the organisation, check their certification on the official list of participating organisations. The Privacy Shield arrangement constitutes a specific type of adequacy finding under Article 45 of the GDPR. This approach to adequacy is incorporated as optional drafting within the standard University data processing agreement published on the Procurement Services Office webpages. Many major cloud-based IT suppliers operating from the US (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management) are signed up to the Privacy Shield, but a formal list of University-approved/vetted services does not yet exist.

If the third party organisation has signed up to, or will sign as part of contractual documentation, the European Commission's standard contractual clauses for transfers, without any amendment (Article 46(2)(c) of the GDPR). Different clauses are required depending on whether the sharing is with another data controller (Category 2 above) or with a data processor (Category 3 above). A pre-completed model, to use with the standard University data processing agreement, is published on the Procurement Services Office webpages.

In certain circumstances the adequacy requirement can be circumvented for occasional/limited personal data transfers. Article 49 of the GDPR lists a number of such 'derogations' (exceptions). Examples include:

Where the individuals have explicitly consented to the transfer in advance.*

Where the transfer is necessary to fulfil a contract (or to take pre-contractual steps) with the individuals.*

Where the transfer is necessary to fulfil a contract between the data controller (the University) and a third party organisation that supports the interests of the individuals.*

Where the transfer is necessary for important reasons of public interest (e.g. exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for major public health initiatives) or to protect an individual’s own vital interests where they cannot give consent.

* The derogations in the first three (asterisked) bullet points above are not available to 'public authorities in the exercise of their public powers'. Although the University is defined as a UK public authority for GDPR purposes, it is a 'hybrid' authority; it does not act in all aspects as a public authority in the exercise of public powers. In particular, it is not considered that student or staff recruitment and administration themselves constitute the exercise of a public power. Therefore these derogations can apply to occasional/limited personal data transfers necessitated, for example, by overseas trips/travel, fieldwork, recruitment, and so on, involving student or staff personal data.